North Korea Just Robbed DeFi for $577 Million in 18 Days and Nobody Saw It Coming

April 2026 was the worst month for crypto security in over a year. Two attacks. Two protocols. One state-sponsored hacking group has now stolen more than $6 billion from the industry since 2017.

The numbers are stark. Crypto hack losses totalled over $630 million in April 2026, the highest monthly figure since February 2025. Security firms CertiK, PeckShield, and DeFiLlama all confirmed figures in that range, with individual estimates varying between $630 million and $651 million depending on methodology. No firm reported a total below $630 million.

But the raw number only tells half the story. The other half focuses on who did it, how they did it, and why DeFi’s most sophisticated protocols were still caught completely off guard.

Two Attacks. Eighteen Days Apart. Same Perpetrator.

The Drift Protocol breach on April 1 ($285 million) and the KelpDAO bridge exploit on April 18 ($292 million) represent just 3% of 2026’s incident count, yet account for 76% of all stolen value this year. Both attacks have been attributed to North Korean state-sponsored hacking groups—specifically units operating under the Lazarus Group umbrella.

This is not a coincidence. It is a pattern.

The Drift Attack: Six Months of Patience

On April 1, 2026, Drift Protocol — the largest DeFi protocol on the Solana blockchain — was drained of an estimated $285 million, wiping out more than 50% of its total value locked.

What made this attack remarkable was not the technical exploit. It was the timeline behind it.

Drift has since revealed that the attack was the culmination of a months-long, meticulously planned social engineering operation that began in fall 2025, attributed with medium confidence to a North Korean state-sponsored group called UNC4736, also tracked as AppleJeus, Citrine Sleet, and Gleaming Pisces.

The attackers did not break in through a backdoor. They walked through the front door.

Between December 2025 and January 2026, the group onboarded an Ecosystem Vault on Drift, depositing more than $1 million of their own funds to build credibility. They engaged with multiple contributors, asking detailed and informed product questions, with integration conversations continuing through February and March 2026.

The attackers then used Solana’s “durable nonces” feature, which allows transactions to be signed in advance and executed later, to get legitimate Drift Security Council members to unknowingly pre-approve the attack. These transactions appeared routine at the time. But they contained instructions to transfer administrative control of the protocol to an attacker-controlled address.

Once that control was granted, the rest took minutes. The attackers whitelisted a worthless fake token as collateral, deposited 500 million units of it, and used it to withdraw $285 million in real assets, including USDC, SOL, and ETH. According to Elliptic’s calculations, the amount made it the largest DeFi hack of 2026 and the second-largest security incident in Solana’s history, behind only the $326 million Wormhole bridge exploit in 2022.

The KelpDAO Attack: Infrastructure Poisoning at Scale

Seventeen days later, the same North Korean network struck again — this time with an entirely different method.

On April 18, an attacker exploited KelpDAO’s LayerZero-powered bridge to drain 116,500 rsETH, about $292 million, and roughly 18% of the token’s circulating supply—triggering an emergency pause of core contracts.

Crucially, the incident was not a smart contract hack. It was a sophisticated attack on off-chain infrastructure. The attackers compromised internal RPC nodes and used a DDoS attack to knock out external nodes, feeding false data to a single-point-of-failure verification network.

The technical architecture at the center of the dispute is a configuration called a 1-of-1 DVN setup, meaning only one verifier needs to sign off on any cross-chain transaction. LayerZero attributed the attack to North Korea’s Lazarus Group and its TraderTraitor subunit, saying KelpDAO had chosen to use this single-verifier configuration despite prior recommendations to adopt a multi-verifier setup where consensus across several independent verifiers would be required.

KelpDAO pushed back hard. The protocol disagreed with LayerZero’s framing, noting that LayerZero’s own quickstart guide and default GitHub configuration showed a 1/1 DVN setup and that 40% of protocols on LayerZero were using the same configuration at the time of the exploit.

The finger-pointing between two major DeFi infrastructure providers in the aftermath of a $292 million theft captured the industry’s attention. But it also obscured the more important finding. Traditional security tools missed the attack entirely because every on-chain transaction looked completely valid. Spotting this type of exploit requires cross-chain invariant monitoring — continuously verifying that tokens released on a destination chain mathematically match assets burned on the source chain.

The fallout spread fast. The $292 million KelpDAO breach triggered one of DeFi’s largest-ever wipeouts, erasing about $13 billion from lending platforms and leaving Aave with a major bad-debt crisis that industry players are now trying to backstop with $300 million in pledges.

The Arbitrum Security Council, coordinating with law enforcement, managed to freeze over 30,000 ETH of the attacker’s downstream funds, blocking what would have been a second $95 million drain attempt.

The Bigger Picture: A $6 Billion Theft Program

These two attacks are not isolated incidents. They are part of a decade-long, state-sponsored campaign to fund North Korea’s weapons program through cryptocurrency theft.

North Korea’s share of total crypto hack losses has grown from under 10% in 2020 and 2021 to 22% in 2022, 37% in 2023, 39% in 2024, and 64% in 2025. The 2026 figure of 76% through April is the highest sustained share on record.

North Korea’s cumulative crypto theft now exceeds $6 billion in attributed incidents since 2017, according to TRM Labs.

What has changed is the sophistication of the approach. The Drift attack targeted governance infrastructure through social engineering, while the KelpDAO attack exploited a single-verifier design flaw combined with a targeted infrastructure assault. The two attacks show diverging laundering playbooks — after an initial cross-chain movement to Ethereum, Drift’s stolen funds went dormant, while KelpDAO’s proceeds were laundered through THORChain after Arbitrum froze a portion of the funds.

THORChain processed the vast majority of proceeds from both the 2025 Bybit breach and the 2026 KelpDAO hack, converting hundreds of millions in stolen ETH to Bitcoin with no operator willing to freeze or reject transfers — making it the consistent bridge of choice across North Korea’s largest heists.

What Comes Next

LayerZero has since announced it will no longer sign or authenticate messages from any application using a 1/1 DVN configuration — a forced protocol-level migration affecting a significant portion of its active integrations.

But policy changes after the fact raise a clear question: why were the defaults set this way to begin with?

For the broader DeFi ecosystem, the lesson from April 2026 is uncomfortable. The attack surface is no longer just smart contract code. Security researcher and MetaMask developer Taylor Monahan has revealed that North Korean IT operatives have worked inside more than 40 decentralized finance platforms, with their presence stretching back to DeFi Summer in 2020.

For DeFi projects handling hundreds of millions of dollars, tightening recruitment practices, enforcing sanctions screening, and scrutinizing remote contributors are becoming as important as smart-contract audits. The line between HR risk and protocol security is disappearing entirely.

April 2026 did not reveal a new threat. It confirmed how far an old one has evolved.

Sources: CoinDesk, Bloomberg, Chainalysis, TRM Labs, Elliptic, TheStreet Crypto, The Hacker News, CryptoPotato